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Abstract 


Proofs  of  typical  safety  properties  of  programs  in  temporal-logic-based  systems  can  be 
facilitated  by  tbe  use  of  two  proof  rules:  the  Rule  of  Negation  and  the  w-Induction  Rule. 
We  show  that  each  of  these  rules  is  valid  only  on  timelines  of  certain  order  types;  the  joint 
use  of  these  two  rules  is  valid  only  on  timelines  that  are  finite,  or  ordered  like  the  natural 
numbers. 

We  demonstrate  the  use  of  these  rules  by  giving  proofs  of  safety  properties  of  a  simple 
concurrent  program  in  the  State  Delta  Verification  System  (SDVS). 
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1  Introduction 


We  consider  automated  theorem  provers  and  proof  checkers  based  on  temporal  logic  with 
a  linear  timeline,  in  particular  in  their  application  to  computer  verification.  The  variations 
in  possible  temporal  systems  are  manifold.  One  issue  is  the  choice  of  the  order  type  of  the 
timeline  or  timeframe.  Most  temporal  systems  assume  a  timeline  that  is  ordered  like  the 
natural  numbers  (a  standard  reference  is  [1]  or  [2]),  though  there  are  occasions  where  more 
general  timelines  have  been  suggested  and  used. 

The  State  Delta  Verification  System  [3]  (SDVS)  is  a  system  whose  temporal  operators  are 
based  on  the  weak  versions  of  the  standard  temporal  operators  of  □,  O,  and  U,  i.e.,  all  future 
states  may  include  the  present.1  Most  proof  commands  do  not  impose  any  restriction  on 
the  underlying  timeline.  However,  we  have  found  that  in  order  for  certain  safety  properties 
to  be  valid,  we  had  to  restrict  the  timelines  admitted  by  our  logic. 

The  constraints  that  certain  proof  rules  impose  on  the  timelines  of  temporal  structures  arise 
in  two  situations. 

First,  if  the  proof  of  a  safety  property  of  a  program  contains  the  negation  of  a  temporal 
formula  with  “until,”  then  it  is  often  convenient  to  simplify  that  formula  by  using  the 
Negation  Rule: 


-i (p  U  q)  =  [□-’9  V  -ip  V  (-1  q  U  (~i p  A  -><?))] 

Since  this  rule  is  valid  on  precisely  well-ordered  timelines  (Theorem  3),  the  proof  of  such 
a  safety  property  could  very  well  be  valid  only  for  temporal  structures  with  well-ordered 
timelines.  Such  a  property  will  be  given  in  Section  5  (Theorem  6).  The  importance  of  this 
formula  is  that  it  “pushes”  the  negation  of  an  until  formula  inside  another  until  formula. 
Successive  applications  of  this  rule  result  in  an  equivalent  formula  in  which  no  until  operator 
is  in  the  scope  of  a  negation.  In  an  important  sense,  this  reduction  is  impossible  for  linear 
timelines  that  are  not  well-ordered. 

Second,  the  proof  of  even  a  simple  safety  property  of  a  nonterminating  program  may  require 
an  ^-Induction  Rule  of  the  form 


[(a  A  f3)  A  □(«  Aft—*  3a0  . . .  3a„_i  (  /\  z:-  =  a,-  A  (a  U  (a  A  f3  A  \J  Xi  ±  a,-))))]  — s-  Da 

i<  n  »<n 

where  {»,•  :  i  <  n}  is  the  finite  set  of  program  variables.2 

1  (M ,  t)  (=  p  U  q  is  defined  to  hold  iff  ( M ,  t)  (=  p  and  there  is  r  >  t  such  that  ( M ,  r)  j=  q  and  for  all  s,  if 
t  <s  <t,  then  (M,  s)  |=  p.  Notice  that  even  ii  t  —  t,  p  must  hold  at  t. 

2This  rule  might  seem  strange  to  those  familiar  with  the  more  standard  temporal  logic  induction  rules, 
such  as 

(a  A  O(o  —  Nextcx))  —  Oo. 

First  of  all,  the  weakness  of  the  until  means  that  there  is  no  definable  Next  operator;  also,  the  weak  until 
means  that  to  guarantee  “progress”  we  must  explicitly  include  the  conjunct  representing  the  claim  that  some 
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Consider,  for  example,  the  program  P  that  initially  assigns  to  its  only  variable  x  the  value 
zero  and  thereafter  repeatedly  decrements  the  value  of  x  by  one.  Clearly  one  safety  property, 
5,  that  this  program  satisfies  is  that  at  every  time  in  the  future,  the  value  of  x  will  be  less 
than  or  equal  to  zero.  However,  a  “natural”  translation  of  this  program  into  temporal  logic, 
for  example  the  translation  into  the  formula  simply  asserting  “x  is  equal  to  zero  now  and 
at  every  time  in  the  future  the  value  of  x  will  be  discretely  decremented  by  one,”3  will  be 
true  in  the  temporal  structure  whose  timeline  is  u  +  u  and  in  which  the  values  of  x  are 

0,-1, -2,  ...  ,1,0, -1,-2,  ... 

However,  S  fails  to  be  true  in  this  model;  the  problem  is  the  limit  point  of  the  timeline 
at  which  the  value  of  x  is  1.  Note  that  u  +  1  is  embeddable  in  this  timeline. 

It  is  easy  to  prove  that  the  ^-Induction  Rule  above  is  valid  for  precisely  those  temporal 
structures  in  whose  timeline  u  +  1  is  not  embeddable  (Theorem  4). 

Thus,  to  recapitulate,  the  use  of  the  Negation  Rule  implies  that  the  timeline  is  well-ordered, 
and  the  use  of  the  ^-Induction  Rule  implies  that  the  timeline  does  not  embed  u  +  1.  Thus, 
the  use  of  both  implies  that  the  timeline  is  either  finite  or  isomorphic  to  u. 

We  give  examples  of  two  safety  properties  and  their  proofs  in  SDVS  that  use  the  above 
rules.  Here  we  will  be  concerned  only  with  understanding  enough  about  SDVS  in  order 
to  translate  the  results  of  Sections  2  and  3  into  the  logic  and  proof  commands  of  SDVS. 
The  logical  formulas  of  SDVS  are  called  state  deltas,  which  are  written  in  a  precondition- 
postcondition  style,  but  correspond  roughly  to  temporal  logic  with  weak  box  (□),  diamond 
(O),  and  until  (It).  This  weak  semantics  was  chosen  because  we  wanted  the  truth  of  state 
delta  formulas  to  be  preserved  under  “stuttering,”  i.e.,  through  a  time  interval  where  no 
values  of  local  variables  change. 

The  particular  syntax  of  state  deltas  was  chosen  to  facilitate  intuitive  proofs  of  program 
correctness  by  symbolic  execution.  The  reader  is  referred  to  [4]  for  the  exact  correspon¬ 
dences. 

The  Negation  Rule  is  incorporated  in  SDVS  as  the  proof  command  negate  and  the  u- 
Induction  Rule  as  the  proof  command  omegainduct  (Section  6).  It  thus  follows  that  proofs 
in  SDVS+negate-f-omegainduct  are  valid  only  for  temporal  structures  whose  timelines 
are  either  finite  or  isomorphic  to  u>. 

What  restriction  on  the  applicability  of  such  a  safety  proof  does  the  timeline  restriction 
impose?  There  are  examples  where,  in  order  to  represent  faithfully  a  computation,  it  has 
been  suggested  to  assume  a  non-u  timeline.  In  such  cases,  a  proof  of  safety  must  utilize 
other  rules.  For  examples  see  [5]  and  [6],  or  [7]. 

Now  we  define  the  structures  over  which  we  interpret  temporal  formulas  We  are  given 

program  variable  has  changed  value.  Second,  the  above  rule  without  0  (i.e.,  with  8  =  true)  is  weaker  in  our 
proof  system.  We  use  0  in  the  proofs  of  safety  properties  of  loops,  specifically  by  letting  0  encode  the  Haim 
that  execution  is  at  the  “top  of  the  loop.” 

3Of  course,  there  is  another  translation  of  P  that  by  the  above  usage  would  have  to  fall  into  the  “un¬ 
natural  category;  this  translation  obviates  the  need  for  induction:  add  the  sentence  saying  that  x  never 
increases. 
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a  first-order  structure  that  can  be  thought  of  as  the  domain  of  values,  a  set  of  variables 
ranging  over  those  values,  and  a  finite  set  of  variables  that  can  be  thought  of  as  the  set  of 
program  variables. 


Definition  1  Let  A  be  a  first-order  structure,  GlobalVars  a  set,  and  ProgramVars  a  finite 
set.  A  first-order  temporal  structure  M  with  base  A  is  a  triple  ((T,  <),E,ct)  such  that 

•  (T,  <),  the  timeline,  is  a  linearly  ordered  set  with  a  least  element,  usually  denoted  by 
to; 

•  S  :  GlobalVars  —±\  A  |;  and 

•  cj  :T  x  ProgramVars  -*\  A  |. 

We  assume  the  normal  syntax  for  first-order  temporal  logic  with  propositional  operators  A, 
V,  -i,  and  the  “weak  future”  semantics  for  the  temporal  operator  U ,  as  described  above. 
The  operators  (weak)  □  and  (weak)  O  are  defined  in  terms  of  U  in  the  standard  manner, 
e.g. 

(M,t)  |=  Oq  =  ( M,t )  |=  ( true  U  q)  =  3 1'  >  t(M,t')  \=  q 

We  refer  to  this  language  as  Weak  Propositional  Temporal  Logic,  WPTL.  The  state  delta 
language  and  an  intermediate  language  will  be  introduced  in  Section  4. 

Notation:  If  0  is  an  interval  of  the  timeline  T,  then  Mn0  j=  (f>\s  defined  by  Vf  e  0  (M,  t )  |= 
<j). 
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2  Negation 


In  this  section  we  show  that  negations  can  be  pushed  inside  WPTL  formulas  if  and  only  if 
the  timeline  is  well-ordered.  Thus,  using  the  Negation  Rule 


-i (p  IA  q)  =  [□“'?  V  -ip  V  (-if?  U  (~i p  A  “*?))] 
entails  an  assumption  that  the  timeline  is  in  fact  well-ordered. 

First  we  show  that  the  above  Negation  Rule  is  not  valid  in  general,  and  that  no  similar  rule 
for  simplifying  negations  is  valid. 

Definition  2  A  WPTL  formula  is  positive  if  no  temporal  operator  is  in  the  scope  of  - i. 

Theorem  1  There  is  a  WPTL  formula  a  that  is  not  equivalent  to  any  positive  WPTL 
formula. 


Note:  Without  U  all  WPTL  formulas  are  equivalent  to  positive  formulas. 

Proof:  Let  a  =  -i(-ip  U  p),  i.e.,  that  there  is  no  first  time  at  which  p  is  true.  We  will  define 
a  temporal  structure  (over  a  non-well-ordered  timeline)  in  which  a  is  not  equivalent  to  any 
positive  formula. 

Let  Mi  be  the  temporal  structure  over  timeline  {to,.  ..,s,-...)  where  i  ranges  over  the 
negative  integers,  of  order  type  1  +  w*  (w*  is  the  order  type  of  the  negative  integers.)  where 
p  is  true  at  t  iff  t  >  to,  and  N\  be  the  temporal  structure  over  (to,t\)  where  p  is  defined 
similarly  (i.e.,  false  at  to  and  true  at  t\.) 

Note  that  (Mi, to)  1=  a  and  ( Ni,to )  |=  -ict. 

Let  T  =  {7  :  7  is  a  WPTL  formula  such  that  {Mi, to)  {=  7  — ►  ( Ni,to )  |=  7}. 

The  theorem  will  follow  if  we  show  that  T  contains  all  the  positive  formulas,  as  implied  by 
the  following  lemma: 


Lemma  1  The  following  facts  are  true  of  P: 

1.  T  contains  all  static  (containing  no  temporal  operator)  formulas  . 

2.  T  is  closed  under  A  and  V. 

3.  T  is  closed  under  □  and  O 
4-  T  is  closed  under  U. 

Proof  of  Lemma:  The  first  two  items  are  obvious.  The  next  one  follows  from: 
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Claim:  For  every  WPTL  formula  r  and  every  negative  integer  i, 


(Mi, Si)  [=  r  —>  (Nuti)  \=  r 

The  proof  is  a  simple  induction  on  the  complexity  of  r;  it  also  is  a  trivial  consequence  of 
Corollary  3  in  [4]. 

Now  consider  fact  4.  Let  (Mi,  to)  (=  7  U  6  where  7, 6  G  T.  If  (Mi,t0)  (=  6,  we  are  through. 
Otherwise,  (Mi,S{)  |=  6  for  some  i  and  Mi  fl  [to, Si)  |=  7. 

Thus,  (JVj,ti)  (=  6  by  the  above  claim  and  (Ni,to)  \=  7  (Lemma  1  and  Theorem  1).H 
The  above  theorem  can  be  strengthened  as  follows: 

Theorem  2  There  is  a  WPTL  formula  a  such  that  for  every  timeline  T  that  has  an  initial 
element  but  is  not  well-ordered,  a  is  not  equivalent  to  a  positive  formula  over  T. 

Proof:  Let  a  be  as  before,  and  let  to  be  the  initial  element  of  T.  Since  T  is  not  well-ordered, 
there  is  a  decreasing  sequence  . . .  >  r,-  >  r;+ 1  >  . . .  .  Let  J  =  {t  £  T  :  (3i)  t  >  77}  and 
I  —  T  —  J . 

Define  M2  over  T  by  (M2,  t)  f=  p  iff  t  e  I.  Let  h  >  t0  and  define  N2  by  (N2,  t)  |=  ->p  iff  t  < 

ti. 

Note  that  ( M2,t0 )  [=  a  and  (N2,to)  [=  ~'a. 

By  Theorem  3  of  [4],  for  every  formula  7,  ( N2,t0 )  \=  7  if  and  only  if  (Ni,t0)  (=  7.  And 
likewise  (M2,/o)  (=  7  if  and  only  if  (M1,t0)  f=  7.  Thus,  the  desired  result  follows  from 
Lemma  1.  H 

Theorem  3  The  Negation  Rule  is  true  if  (and  only  if)  the  timeline  is  well-ordered. 

Note  that  the  “only  if”  part  follows  from  Theorem  1. 

Proof: 

The  right-to-left  implication  of  the  Negation  Rule  is  always  true. 

Now  assume  T  is  well-ordered  with  initial  element  t0,  M  is  a  temporal  structure  over  T, 
and  (M,t0)  |=  -1  (pli  q ).  If  ( M,to )  \=  □-! q  or  (M,to)  |=  -1  p,  we  are  done. 

So  assume  otherwise:  let  (M,t0)  \=  p,  1 1  >  t0  be  the  least  such  that  (M,ti)  \=  q.  In  fact, 
t0  <  h,  otherwise  (M,t0)  |=  p  U  q.  Thus,  M  n  [i0,<i)  f=  ->?.  Let  t2  >  t0  be  the  least 
such  that  (M,t2)  |=  -ip.  Thus,  t0  <  t2  <  t\,  otherwise,  again,  ( M,to )  | =  p  U  q.  Thus, 
(M,  t2)  \= ->p  A -nq,  M  D  [t0,  t2)  |=  -iq,  so  (M,  t0)  |=  (-1  q  U  (~>p  A  1  q)).  H. 
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3  ^-Induction 


In  this  section  we  show  that  the  w-Induction  Rule  is  valid  if  and  only  if  the  timeline  does 
not  embed  u>  +  1.  Thus,  the  use  of  this  rule  entails  the  assumption  that  in  fact  the  timeline 
does  not  embed  u  +  1. 

The  ^-Induction  Rule  states  that 

1.  if  a  (the  “always”  formula)  and  /3  (the  “auxiliary”  formula)  are  true  now, 

2.  and  it  is  always  true  in  the  future  that  if  a  and  B  are  true,  then  a  is  true  until  some 
variable  has  changed  value  and  a  and  (3  are  true  again, 

3.  then  a  will  be  always  true  in  the  future. 

Formally,  the  Induction  Rule  is  given  by  the  following  sentence: 

[(o  A  /?)  A  □(«  A  /3  — >  3 a0 . . .  3an_i  (f\xi  =  a;  A  (a  U  (a  A  f3  A  \f  Xi  a;))))]  — ►  Do 

i<n  i<n 

where  {xt-  :  i  <  n}  is  the  finite  set  of  program  variables. 

Theorem  4  The  u> -Induction  Rule  is  valid  over  T  iff  T  does  not  embed  u>  +  1. 

Proof: 

<— :  Assume  T  does  not  embed  a;  +  1  and  let  M  be  a  temporal  structure  over  T  such  that 
( M,t0 )  satisfies  the  antecedent  of  the  ^-Induction  Rule.  Thus,  there  are  t{  €  T,  ti  <  U+i, 
where  M  fl  [t,-,t,+1]  |=  a  and  (M,t,)  (=  /3.  If  the  conclusion  of  the  w-Induction  Rule  is  not 
true,  i.e.,  if  (M,  to)  Dq:>  then  there  is  some  tw  such  that  (M,  tw)  \=  -ia.  Since  ti  <  tw  for  all 
i,  the  sequence  {to, . . . ,  U, . . . ,  t^}  constitutes  an  embedding  of  o;  + 1  into  T,  a  contradiction. 

— Assume  T  embeds  u  + 1,  and  let  to  <  h  <  . . .  <  tw  be  the  image  of  such  an  embedding. 
Define  M  over  T  such  that  M  has  one  local  variable  x  whose  values  are  (M,t)  \=  x  =  —  i  for 
t  6  [tt-,tj+i),  i  <  u>,  and  x  =  1  elsewhere,  including  tw.  Now  for  a  =  [2  <  0]  and  j3  =  true, 
we  get  that  the  proof  rule  is  not  true  in  M.  3 
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4  Syntax  and  Semantics  of  SDVS 


In  this  section  we  give  a  brief  introduction  to  the  syntax  and  the  semantics  of  SDVS.  For 
the  reader  who  is  acquainted  with  the  usual  temporal  logic  notation,  we  also  introduce 
an  intermediate  language  between  the  language  of  SDVS,  Lsd [-0,  and  the  language  of 
classical  first-order  temporal  logic.  This  intermediate  language  is  Since  Lsd[I ) 

and  differ  only  in  their  temporal  operator,  in  the  definitions  that  follow  we  denote 

both  languages  by  L. 


4.1  Syntax 
Alphabet 

The  alphabet  of  L  contains  the  following  symbols: 


•  for  every  n-ary  function  /  of  A,  an  n-ary  function  symbol  /; 

•  for  every  n-ary  predicate  p  of  A  ,  an  n-ary  predicate  symbol  p; 

•  the  binary  predicate  symbol  =; 

•  the  propositional  constant  true; 


•  the  symbols  -i,  A,  #,  and  V; 

•  for  the  temporal  operator  symbol  U,  until ; 

•  for  Lsd[I),  the  temporal  operator  symbol  state  delta ; 

•  &  finite  set,  ProgramVars,  of  program  variables  (local  variables);  and 

•  a  denumerable  set,  GlobalVars ,  of  global  variables. 


Terms 

The  terms  of  L  are  defined  by  induction: 

•  Every  global  variable  is  a  term. 

•  For  every  program  variable  x,  .x  and  #x  are  terms. 

•  Every  0-ary  function  symbol  is  a  term. 

•  If  ti, . . . ,  tn  are  terms  and  /  is  an  n-ary  function  symbol,  then  f(ti  ...tn)  is  a  term. 

•  All  terms  arise  by  application  of  the  above  four  clauses. 
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Note  that  unadorned  program  variables  are  not  terms. 

Formulas 

The  atomic  formulas  of  L  consist  of  the  propositional  constant  true  and  any  string  of 
the  form  p(ty .  where  p  is  an  n-ary  predicate  symbol  and  are  terms.  The 

other  formulas  axe  defined  inductively. 

•  Every  atomic  formula  of  L  is  a  formula  of  L. 

•  If  A  and  B  are  formulas  of  L ,  then  (A  A  B)  and  -i A  are  formulas  of  L. 

•  If  A  is  a  formula  of  L  and  v  is  a  global  variable,  then  'ivA  is  a  formula  of  L. 

•  If  A  and  B  are  formulas  of  £(#,.)(£/),  then  ( A  U  B)  is  a  formula  of  £(#t.)(ZY). 

•  If  A,  B,  and  C  are  formulas  of  Lsd[I),  then  (A  Xl yi...ykB)  is  a  formula  of 

Lsd  [-0,  where  xy , . . . ,  xn  and  yy , . . . ,  are  (possibly  empty)  strings  of  program  vari¬ 
ables.  This  formula  is  a  state  delta  with  precondition  A ,  postcondition  B ,  and  invari¬ 
ant  C. 

Note  that  in  the  SDVS  transcripts  in  Section  6.3  a  state  delta  of  the  above  form  will  be 
written  as 

[sd  pre:  A 

comod:  xy . . .  xn 
mod:  yy . . .  yk 
inv:  C 
post:  B ] 

Any  degenerate  fields  are  simply  omitted,  e.g.  if  the  comod  is  empty  or  the  inv  is  true. 


4.2  Semantics 

Let  M  be  a  temporal  structure  (recall  Definition  1.)  M  determines  an  evaluation  VM  that, 
for  every  pair  of  times  ty  and  t2  of  T  such  that  ty  <  <2  ?  niaps  every  term  r  of  L  to  an  element 
VM(ty,t2,r)  of  the  universe  of  A ,  and  every  formula  A  of  £  to  a  truth  value  VM(ty,t2,  A) 
of  the  boolean  algebra  <  {t , f } ;  A,  V,  -i  >. 

Evaluation  of  Terms 

Base  Case:  For  every  global  variable  v ,  VM(ty,t2,v)  =  S(t’).  For  every  program  vari¬ 
able  x,  VM(ty,t2,-x)  =  e(ty,x)  and  VM(ty,t2,#x)  =  c T(t2,x). 

Step  Case:  For  every  term  f(ry  . .  ,t„), 

VM(tyA2j(n...Tn))  =  f(VM(ty,t2,Ty)...VM(ty,t2,Tn)) 
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Evaluation  of  Formulas 


Base  Case:  For  the  propositional  constant  true,  VM(t1,t2,true)  =  t.  For  every  other 
atomic  formula  p(T\ . .  .rn), 

VM(t1,t2,p{r1 .  ..rn))  =  p(VM(tut2,  n) . .  ,t2,r*)) 

Step  Case:  Let  A  be  a  formula  of  We  assume  that  (ti,t2,  D)  has  been 

defined 

•  for  every  proper  subformula  D  of  A, 

•  for  every  pair  of  times  t[  and  t2  of  T  such  that  <  t2;  and 

•  for  every  temporal  structure  M*  =<<  T,<>,E*,cr  >,  where  £*  is  any  evaluation  of 
the  global  variables  of  L. 

We  now  consider  the  various  cases  for  A. 

•  If  A  =  (B  A  C),  then  VM{h ,h,  A)  =  VM(h,t2, B )  A  VM(tu  t2, C). 

•  If  A  =  -.5,  then  VM(h,t2,A)  =  ^VM(tut2,B). 

•  If  A  =  VvB,  then  VM(ti,t2,  A)  =  t  iff  for  every 

E*  :  GlobalVars  ->|  A  \ 

such  that  E *(w)  =  E(iu)  for  every  global  variable  w  /  v,  if 

M*  =<<  T,<>,  £*,  o  > 
then  VM* (ti,t2,  B)  =  t.  Otherwise,  VM(ti,t2,A)  =  f. 

«  If  A  =  ( BUC ),  then  VM{t\,t2,A)  =  t  \fiVM{t2,t2,B)  =  t  and  there  is  af3  in  T  such 
that  t3  >  t2 ,  VM(t2,t3,C)  =  t,  and  for  all  t*  in  [t2,t3),  =  t.  Otherwise, 

VM(t1,ti,A)  =  t. 

•  If  A  =  (B  x1..jcn'*»vi-ykC)’  t^en  =  t  iff  for  every  t3  >  t2  such  that  the 

values  of  the  program  variables  a;i, _ ,xn  remain  constant  in  the  time  interval  [t2,t3} 

and  VM(tz,t3,B)  =  t,  there  is  a  time  t^  >  t3  such  that  only  the  program  variables 
yu-.-iUk  may  change  their  value  in  the  time  interval  [f3,  £4],  and 

-  vM(h,n,c)  =  t, 

-  VM(t3,h,I)  =  t, 

-  for  every  time  t  in  [<3,^4),  VM(t3,t,I)  =  t. 

Definition  3  Let  A  be  a  formula  of  L,  M  a  temporal  structure,  and  tx  <  t2  a  pair  of  times 
ofT.  Then  M(h,t2)  \=  A  ijfVM(t1,t2,A)  =  t. 
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4.3  Definable  Extensions  of  L 


The  boolean  connectives  V  and  and  the  existential  quantifier  3,  are  defined  for  L  in  the 
usual  way.  Henceforth,  we  assume  that  all  is  a  canonical  string  consisting  of  all  program 
variables  X\  and  if  s  =  y\...yn  is  any  string  of  program  variables,  then  there  is  a 

canonical  string,  —s  =  z1...zm,oi  program  variables  that  lists  the  program  variables  that 
do  not  appear  in  s. 

Definition  4  Let  Abe  a  formula  of  L,  s  =  y\ . .  .yn  be  any  string  of  program  variables,  and 
all  —  s  =  z\  . .  .zm. 

•  ^3/i  —Hk-A  ((($•£  1  =  ~Z\  A  ...  A  $Zm  =  .2m))  U  (ff^Z\  —  .Z\  A  ...  A  =  • zm )  A  A))4 

for  the  language  £(#,.)(£/),  and 

•  ®yi-ynA  =  (true  aH.'^>y1...ynA)  for  the  language  Lsd[I )• 

•  OA  =  O  an  A  =  O  Xl...xnA, 

•  yn-A-  —  ...yn ~'A,  and 

•  DA  =  -iO-iv4. 

The  semantics  for  these  extensions  are,  of  course,  fixed  by  their  definitions,  but  they  are 
what  one  would  expect.  For  example,  if  M  is  a  temporal  structure  and  t\  <  t2  are  times 
in  T,  then  M(ti,t2)  f=  iff  for  every  tz  >  t2,  if  the  value  of  every  program  variable 

that  is  not  in  the  set  {t/,-  :  1  <  i  <  n)  remains  constant  in  the  time  interval  [^2,^3],  then 
M(t2,tz)  J=  A. 

A  formula  A  of  L  has  an  upper-level  dot  (pound)  if  it  contains  an  occurrence  of  a  term  of 
the  form  .x  (#x)  that  is  not  in  the  scope  of  a  temporal  operator  of  L.  We  note  the  following 
simple  fact: 


If  a  formula  A  of  L  has  no  upper-level  dots,  then  for  every  temporal  structure  M  and  times 
*1  <  t2  of  T, 

M(ti,t2)  | =  A  <-►  M(t2,t2 )  |=  A 
In  this  case  we  write  ( M,t2 )  |=  A. 

We  also  note  without  proof  that  LSD[I)  is  equivalent  to  X(#v)(W)  [4], 


4  If  m  =  0,  we  take  the  invariant  of  the  until  to  be  true  and 


the  “eventually”  formula  to  be  A. 
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5  Proofs  of  Safety  in  SDVS 


In  this  section  we  give  a  simple  concurrent  program,  its  translation,  and  the  statement  of 
two  safety  properties  in  the  intermediate  language  £(#,.)(£/).  The  proof  commands  and 
transcripts  of  the  proofs  will  be  included  in  the  next  section. 

This  example  is  drawn  from  [8];  it  was  analyzed  in  [9]  and  proved  in  [10]. 

Program  F 

declare  x  :  integer 
declare  y  :  integer 

loop 

assign 

(y  :=  —  y  if  x  <  0  A  y  >  0)  ||  (x  :=  x  —  1) 

end  {F} 


The  variables  x  and  y  have  some  input  value  at  the  time  this  parallel  program  begins  to 
execute.  The  symbol  ||  separating  the  parallel  branches  has  the  (liveness)  semantics  that 
both  branches  get  executed  infinitely  often,  at  “random”  times,  and  perhaps  simultaneously. 
This  requires  slightly  more  care:  we  mean  that  for  each  time  when  one  branch  gets  exe¬ 
cuted,  there  is  a  later  time  when  the  other  branch  gets  executed.  There  is  no  requirement 
about  the  relative  frequency  of  execution  of  the  two  branches  over  the  space  of  all  possible 
computations. 

Looking  at  the  left-most  parallel  component,  that  involving  y,  note  that  the  above  condition 
on  execution  guarantees  only  that  the  test  will  be  evaluated  at  arbitrary  times;  if  the  test 
is  true,  then  at  some  later  time  the  assignment  to  y  will  be  performed.  It  is  not  necessarily 
the  case  that  at  every  time,  if  the  test  is  true  at  that  time,  then  the  assignment  will  be 
made  at  some  later  time. 

Also,  the  (safety)  semantics  determine  that  the  following  two  properties  hold: 

•  If  y  is  ever  <  0,  then  y  <  0  thereafter. 

•  x  is  weakly  decreasing,  i.e.,  the  value  of  x  is  never  greater  than  it  was  at  a  previous 
time. 

Our  translation  of  the  program  is  the  conjunction  of  Si,  S2,  and  S5  below,  where 

50  ■  (#x  <  0  A  #y  >  0)  -h.  (#y  =.jfW#=  -.y) 

51  :  DOXS0 

52  :  □(#»  =  .x  U  #x  =  .a;  -  1) 

S5  •  D-,(b(#*  <  0  A  #y  >  0)  V  -iS0]  U  #y  ^  .y) 
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£1  describes  when  y  changes,  and  S2  does  the  same  for  x.  £5  regulates  the  change  in  y  by 
forcing  any  change  in  y  to  be  due  to  So-  No  similar  requirement  need  be  placed  on  x. 

The  safety  property  that  uy  ^  0  is  stable”  can  be  represented  as 

Se  :  D(#J/  f  0  -+  n#y  jL  0) 

and  similarly  for  y  <  0 

S7  :  n(#y  <  0  -*■  <  0) 

The  fact  that  “*  never  increases”  can  be  written  as 

S$  :  □(#£  <  a  — >  U#x  <  a) 

or  equivalently, 

<  .x 

(however,  the  former  gives  a  more  direct  translation  to  state  deltas). 

The  theorem  representing  the  safety  properties  of  the  above  program  is 

Theorem  5  £1  A  £2  A  £5  — *  £6  A  £7  A  £8 

We  discuss  only  two  parts: 

Theorem  6  £2  — >  £s 

and 

Theorem  7  £5  — *  £7 

The  proof  of  Se  is  more  difficult  and  will  not  be  considered  here. 

The  correspondences  between  £2,  £5,  £7,  and  S$  and  their  state  delta  representations  s2,  s5,  s7 
and  58  are  given  below. 


[sd  pre:  (true) 
mod:  (all) 
inv:  (#x  =  .x) 
post:  (#x  =  .x  -  1)] 


s5: 

[sd  pre:  (true)  post:  ("(formula(pl)))] 
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pi; 


[sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

inv:  (*(#x  le  0  ft  #y  gt  0)  or  "(formula(sO))) 
post:  (”(#y  =  .y))] 


s0: 


[sd  pre: 
comod: 
mod: 
imr: 
post: 


(.x  le  0, .y  gt  0) 
(x,y) 

(x,y) 

(#y  =  .y) 

(#y  =  -.y)] 


s7 : 

[sd  pre:  (.y  It  0)  post:  (formula(ql))] 
ql: 

[sd  pre:  (true)  post:  (#y  It  0)] 
s8: 

[sd  pre:  (.x  le  a) 

post:  (JEormula(x.  always,  le.  a))] 


x. always. le. a: 

[sd  pre:  (true)  post:  (#x  le  a)] 
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6  SDVS  Proof  Commands  and  Transcripts 


In  this  section  we  give  the  SDVS  proof  commands  corresponding  to  the  Negation  Rule 
and  the  ^-Induction  Rule,  and  give  the  transcript  of  the  SDVS  proof  of  Theorems  6  and 
7.  We  do  not  intend  the  transcripts  to  be  totally  intelligible,  since  full  explanation  of  all 
that  is  involved  would  take  us  too  far  afield.  They  are  presented  here  more  as  a  “proof  of 
existence.”  The  SDVS  Users’  Manual  [?]  contains  all  the  details  needed  to  follow  the'proof 
traces. 


6.1  The  Negate  Command 

In  this  section  we  note  the  circumstances  in  which  the  negate  command  is  invoked  and  the 
results  of  its  invocation.  Suppose  that  at  a  certain  stage  of  a  proof  -t S  is  known  to  be  true 
by  the  system,  where  S  is  the  state  delta 

(Pc^mq) 

Then  upon  the  user’s  invocation  of  the  negate  command  with  S  as  its  argument,  SDVS 
prompts  the  user  for  the  names  of  the  three  formulas  that  it  will  create  and  insert  in  the 
postcondition  of  the  negated  state  delta.  Specifically,  SDVS  will  create  and  assert  the 
following  state  delta  S *: 

( true  a//~>-c(p[#/.]  A  (formula(orl)  V  formula(or2)\/  formula(or3 )) 


where 


•  formula(orl)  =  (True 

•  formula(or2 )  =  ] 

•  formula(orS)  =  ( True  all' mi-1!  A  ->?)) 

•  “orl”,  “or2”,  and  “or3”  are  the  names  for  the  formulas  given  by  the  user; 

•  for  any  formula  s,  s[#/-]  is  obtained  from  s  by  replacing  all  upper-level  dotted  places 
in  s  by  the  corresponding  #’s;  and 

•  q*  is  obtained  from  q  by  replacing  all  upper-level  dotted  places  in  q  by  their  symbolic 
values.  For  example,  if  q  =  ((#£  =  .y  +  1)  A  <x),  where  a  is  a  state  delta,  then  q* 
would  have  the  form  ((#2  =  yl23  +  1)  A  a),  where  y  123  is  the  symbolic  value  of  .y. 

The  state  delta  5*  asserts  that  there  is  a  future  time  t\  such  that  the  value  of  every  place 
in  c  remains  constant  between  now  and  tj ,  p  is  true  at  ti ,  and  either 

•  q  is  false  at  every  time  t  >t i  such  that  the  value  of  every  place  in  the  complement  of 
m  remains  constant  in  the  interval  [ti,t],  or 
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•  the  invariant  I  is  false  at  t\,  or 

•  there  is  a  time  ti  >  t\  such  that  the  value  of  every  place  in  the  complement  of  m 
remains  constant  in  the  interval  [*i ,  <2]  5  tie  invariant  I  is  false  at  and  q  is  false  in 
the  interval  [ti,  <2]* 

6.2  The  Omegainduct  Command 

If  omegainduct  is  used  in  the  course  of  a  proof,  the  user  must  enter  the  “always  formula,” 
a,  and  the  “auxiliary  formula,”  /3,  as  parameters.  The  “always  formula”  a  is  the  formula 
that  will  be  asserted  to  be  henceforth  true.  The  purpose  of  the  “auxiliary  formula”  is  to 
allow  the  induction  to  proceed  over  loop  bodies  that  are  generated  by  the  SDVS  program 
translators.  In  these  cases,  the  “auxiliary  formula”  is  intended  to  be  the  state  delta  that 
asserts  that  execution  is  at  the  top  of  the  loop.  The  form  of  the  state  deltas  that  are 
generated  by  the  translators  must  be  altered  to  allow  proofs  that  involve  the  omegainduct 
command  in  these  circumstances.  This  capability  has  not  yet  been  implemented  in  SDVS 
and  will  not  be  discussed  in  this  paper.  If  the  user  does  not  enter  an  auxiliary  formula,  the 
system  assumes  that  the  formula  is  “true.” 

After  the  “always”  and  “auxiliary”  parameters  have  been  added,  SDVS  opens  the  proof  of 
the  base-case  of  the  induction,  ( true  A  /?)•  Once  the  user  proves  the  base  case  state 

delta,  SDVS  opens  the  proof  of  the  step-case  state  delta 

(true 


where  p  is  the  state  delta 

(aAfi  all^alM#/.]  A  /?[#/.]) 

and  where  /  is  a [#/.].  Once  the  the  step-case  state  delta  has  been  proved  as  well,  SDVS 
asserts  the  state  delta  ( true  0~>ga[#/.])  at  the  state  at  which  the  omegainduct  command 
was  given. 
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6.3  Transcripts  of  Proofs 


In  this  section  we  present  the  proofs  of  the  two  safety  properties.  The  following  transcripts 
include  the  proof  commands  (marked  with  asterisks),  interspersed  with  query  commands 
for  readability. 

First  the  proof  of  Theorem  6,  called  safetyl  below,  using  negate. 


sal etyl : 

[sd  pre:  (formula(s5) , covering (all, x,y)) 
post:  (formula(s7))] 


*  sdvs.l  prove 
sd:  safetyl 
proofQ: 

open  -  [sd  pre:  (formula(85),covering(all,x,y)) 
post:  (formula(s7))] 

Complete  the  proof. 


*  sdvs.1.1  prove 
sd:  s7 
pro  of  Q: 

open  -  [sd  pre:  (.y  It  0) 

post:  (formula(ql))] 

Complete  the  proof. 

sdvs.l. 1.1  simp 
expression:  .y  It  0 

true 

sdvs.  1.1.1  usable 

u(l)  [sd  pre:  (true) 

post:  (“(formula(pl)))] 


No  usable  quantifiers. 

*  sdvs.  1.1.1  apply 
sd[highest  applicable]: 
pro  of  Q: 

apply  -  [sd  pre:  (true) 

post:  (~(formula(pl)))] 

*  sdvs. 1.1.1  negate 
state  delta  :  pi 
formula  name  #1:  disl 
formula  name  #2:  dis2 
formula  name  #3:  dis3 

inserting  negated  state  delta  - 
[sd  pre:  (true) 
coxnod:  (all) 
mod:  (diff(all,all)) 
post:  (#y  =  y6166,true, 

([sd  pre:  (true) 

comod:  (diff(all,all)) 
post:  C(C(#y  =  y6166))))]) 


T(#x  le  0  &  #y  jt  0)  or 
'(([sd  pre:  (.x  le  0,.y  gt  0) 
comod:  (x,y) 
mod:  (x,y) 
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inv:  (#y  =  .y) 
post:  (#y  =  — y)J))) 


or 

([sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

inv:  ('(('(# y  =  .y)))) 
post:  ('C(#x  le  0  &  #y  gt  0)  or 
*’(formula(s0))), 

-((-(#y  =  -y))))]))] 

sdvs.1.1.2  pp 
this:  disl 

formula  disl:  [sd  pre:  (true) 

comod:  (diff(all,all)) 
post:  (-((-(# y  b  y6166))))] 

sd  vs.  1.1. 2  pp 
this:  dis2 

formula  dis2:  *("(. x  le  0  &:  .y  gt  0)  or 

“(([sd  Prc:  (•*  lc  0,.y  gt  0) 
comod:  (x,y) 
mod:  (x,y) 
inv:  (#y  =  .y) 
post:  (#y  =  -  y)]))) 

sdvs.1.1.2  pp 
this:  dis3 

formula  dis3:  [sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

inv:  C((-(#y  =  .y)))) 

post:  (~(~(#x  le  0  &  #y  gt  0)  or  ■'(formula(sO))), 

-(C(#y  =  -y))))] 

sdvs.1.1.2  usable 

u(l)  [sd  pre:  (true) 
comod:  (all) 
mod:  (diff(all,all)) 
post:  (#y  =  y6166,true, 

([sd  pre:  (true) 

comod:  (diff(all,all)) 

P°st:  C(("(#y  =  y6166))))]) 

or 

"("(#*  lc  0  &  #y  gt  0)  or 
“(([ad  pre:  (.x  le  0,.y  gt  0) 
comod:  (x,y) 
mod:  (x,y) 
inv:  (#y  =  .y) 
post:  (#y  =  -.y)]))) 

or 

([sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

inv:  C((-(#y  =  .y)))) 
post:  (*(*(#x  le  0  &  #y  gt  0)  or 
"(formula(sO))), 

'(('(#y  =  y))))]))l 

u(2)  [sd  pre:  (true) 

post:  (*’(formula(pl)))] 


*  sdvs.1.1.2  apply 
sd  [highest  applicable]: 
proofQ: 

apply  -  (sd  pre:  (true) 
comod:  (all) 
mod:  (diff(all,all)) 
post:  (#y  =  y6166,true, 

([sd  pre:  (true) 

comod:  (diff(all,all)) 
post:  C(C(#y  =  y6166))))]) 

or 
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or 


('(#x  le  0  U  #y  gt  0)  or 
"(([sd  pre:  (.x  le  0,.y  gt  0) 
comod:  (xty) 
mod:  (x,y) 
inv:  (#y  =  .y) 
poet:  (#y  =  -y)]») 


([sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

inv:  (‘((*(#y  =  y)))) 
post:  ('('(#x  le  0  &  #y  gt  0)  or 
'(formula(sO))), 

-(C(#y  =  .y))))l))l 

non-trivial  propagations  —  ([sd  pre:  (true) 

comod:  (diff(all,all)) 
post:  ('(('(#y  =  y6166))))l) 


([sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

inv:  ('(('(#y  =  y)))) 
post:  (*('(#x  le  0  &  #y  gt  0)  or 
"(formula(sO))), 

-(C(#y  =  y))))]) 


sdvs.1.1.2  pp 
this:  dis2 


formula  di«2:  '('(.x  le  0  Sc  .y  gt  0)  or 

'(([sd  pre:  (.x  le  0,.y  gt  0) 
comod:  (x,y) 
mod:  (x,y) 
inv:  (#y  =  .y) 
post:  (#y  =  — y)])» 


*  sdvs.1.1.2  meases 
number  of  cases:  2 

1st  case:  formula(disl) 
proof  Q: 

2nd  case:  formula(dis3) 
proof]]: 

meases  -  2 

open  -  [sd  pre:  (formula(disl)) 
comod:  (all) 
post:  ([sd  pre:  (true) 

post:  (#y  It  0)])] 


*  sdvs.1.1.2. 1.1  prove 
sd:  ql 
proof  Q: 


open  -  [sd  pre:  (true) 

post:  (#y  It  0)] 

Complete  the  proof. 

sdvs.1.1.2. 1.1.1  usable 

u(l)  [sd  pre:  (true) 

comod:  (diff(all,all)) 
post:  C(C(#y  =  y6166))))] 

u(2)  [sd  pre:  (true) 

post:  ('(formula(pl)))] 


*  sdvs.1.1.2. 1.1.1  apply 
sd  [highest  applicable]:  u 
number:  1 
proofQ: 


apply  -  [sd  pre:  (true) 

comod:  (difF(all,all)) 
post:  ("(("(# y  =  y6166))))] 

close  -  0  steps/ applications 


21 


close  -  1  steps/applications 


open  -  [sd  pre:  (formula(dia3)) 
comod:  (all) 
post:  ([sd  pre:  (true) 

post:  (#y  It  0)])] 


Complete  the  proof. 

sdvs. 1.1. 2.2.1  usable 

u(l)  [sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

inv:  C((-(#y  =  y)))) 

post:  (~('(#x  le  0  &c  # y  gt  0)  or  '(formula(sO))), 

~(C(#y  =  y))))l 

u(2)  [sd  pre:  (formula(disl)) 
comod:  (all) 
post:  ([sd  pre:  (true) 

post:  (#y  It  0)])] 

u(3)  [sd  pre:  (true) 
comod:  (all) 
mod:  (diff(all,all)) 
post:  (#y  =  y6166,true, 

([sd  pre:  (true) 

comod:  (diff(all,all)) 
post:  ("(C(#y  =  y6166))))])  or 
"('(#*  le  0  &  #y  gt  0)  or 
"(([sd  pre:  (.x  le  0,.y  gt  0) 
comod:  (x,y) 
mod:  (x,y) 
inv:  (#y  =  .y) 
post:  (#y  =  -y)])))  or 
([sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

inv:  (-((-(# y  =  .y)))) 
post:  (‘’C'(#x  le  0  &  #y  gt  0)  or 
"(formula(sO))), 

*(C(#y  =  -y))))]))] 


u(4)  [sd  pre:  (true) 

post:  (~(formula(pl)))] 


No  usable  quantifiers. 

*  sdvs.  1.1. 2. 2.1  apply 
sd  [highest  applicable]:  u 
number:  1 
proofQ: 


apply  -  [sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

inv:  C(('(#y  =  .y)))) 
post:  C(-(#x  le  0  1:  #y  gt  0)  or 
"(formula(sO))), 

-((-(#y  =  .y))))] 

The  postcondition  of  the  last  applied  state  delta  is  inconsistent 
with  the  current  state. 

close  -  0  steps /applications 

join  -  [sd  pre:  (formula(disl)  or  formula(dis3)) 
comod:  (all) 
post:  ([sd  pre:  (true) 

post:  (#y  It  0)])] 

close  -  2  steps /applications 

close  -  1  steps/applications 
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Now  the  proof  of  Theorem  7,  below  called  safety 2,  using  omegainduct. 

safety2: 

[sd  pre:  (covering(all,x,y)  ft  fommla(s2)) 
comod:  (all) 
post:  (fonnula(s8))] 


*  sdvs.l  prove 

state  delta[]:  aafety2 
pro of Q: 

open  -  [sd  pre:  (coveringtall.x.y)  &c  formula(s2)) 
comod:  (all) 
post:  (formula(s8))] 

Complete  the  proof. 

*  sdvs.l. 1  prove 
state  deltaQ:  s8 
proof[]: 

open  -  [sd  pre:  (.x  le  a) 

post:  (formula(x.always.le.a))] 

Complete  the  proof. 

sdvs.l. 1.1  usable 

u(l)  [sd  pre:  (true) 
mod:  (all) 
inv:  (#x  =  .x) 
post:  (#x  =  -X  -  1)] 


No  usable  quantified  formulas. 

*  sdvs.l. 1.1  omegainduct 

always- formulas:  .x  le  a 
auxiliary- formulas  [] : 
base  proof Q: 
step  proof Q: 

omegainduction  on  -  (.x  le  a) 

open  -  [sd  pre:  (true) 
comod:  (all) 
post:  (.x  le  a, true)] 

close  -  0  steps /applications 

open  -  [sd  pre:  (true) 
post:  ([sd  pre:  (.x  le  a, true) 
comod:  (all) 
mod:  (all) 
inv:  (#x  le  a) 

post:  (#all  “=  .all,#x  le  a,true)])] 

Complete  the  proof. 

sdvs.l. 1.1. 2.1  goals 

g(l)  [sd  pre:  (.x  le  a, true) 
comod:  (all) 
mod:  (all) 
inv:  (#x  le  a) 

post:  (#all  “s=  .all,#x  le  a, true)] 

*  sdvs.l. 1.1. 2.1  prove 
state  deltaQ:  g 

number:  1 
proof[J: 

open  -  [sd  pre:  (.x  le  a, true) 
comod:  (all) 
mod:  (all) 
inv:  (#x  le  a) 

post:  (#all  "as  .all,#x  le  a, true)] 

comment  —  prove  the  invariant  of  the  state  delta  to  be  proven 
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open  -  [ad  pre:  (true) 
comod:  (all) 
post:  (#x  le  a)] 

close  -  0  steps/applications 

Complete  the  proof. 

sdvs.1.1.1.2.1.2  usable 

u(l)  [sd  pre:  (true)  comod:  (all)  post:  (#x  le  a)] 

u(2)  [sd  pre:  (true) 
mod:  (ail) 
inv:  (#%  =  .*) 
post:  (#x  =  .x  -  1)] 


No  usable  quantified  formulas. 

*  sdvs.1.1.1.2.1.2  apply 

sd/number[highest  applicable/once]:  u 
number:  2 

comment  -  prove  the  invariant  prior  to  the  application 

open  -  [sd  pre:  (.x  =  x“12) 
comod:  (all) 
post:  (#x  le  a)] 

close  -  1  steps/applications 

apply  -  [sd  pre:  (true) 
mod:  (all) 
inv:  (#x  =  .x) 
post:  (#x  =  .x  -  1)] 

close  -  1  steps/applications 

close  -  1  steps/applications 

assert  always  formula 
-  [sd  pre:  (true)  post:  (#x  le  a)] 

close  -  1  steps /applications 

close  -  1  steps/applications 

sdvs.2  usable 

u(l)  [sd  pre:  (covering(all,x,y)  &  formula(s2)) 
comod:  (all) 
post:  (formula(s8))] 


No  usable  quantified  formulas. 
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7  Conclusions 


Proofs  of  typical  safety  properties  of  programs  in  temporal-logic-based  systems  can  be 
facilitated  by  the  use  of  two  proof  rules:  the  Rule  of  Negation  and  the  w-Induction  Rule. 
We  have  shown  that  each  of  these  rules  is  valid  only  on  timelines  of  certain  order  types; 
the  joint  use  of  these  two  rules  is  valid  only  on  timelines  that  are  finite,  or  ordered  like  the 
natural  numbers. 

We  have  demonstrated  the  use  of  these  rules  by  giving  proofs  of  safety  properties  of  a  simple 
concurrent  program  in  the  State  Delta  Verification  System  (SDVS). 
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